Wednesday, February 29, 2012

You might have noticed that Ryanair is busy with litigation against services which screenscrape flight details from its site or act as resellers of its flights. (Previously on this blog 1|2|3|4|5.)
Usually those cases have centered on arguments that this activity amounts to a breach of either Ryanair's intellectual property rights in their site or their terms of use. However Ryanair has now added an interesting data protection dimension to its claims in a fresh action against Club Travel. From today's Irish Times:

RYANAIR HAS claimed before the High Court that details about people who book its flights through a package holiday website can be seen by other travellers.

The airline is seeking an injunction stopping Club Travel from selling its flights on the grounds that it amounts to wrongful interference with its copyright and database. Club Travel denies the claims.
Because of the way Club sells the flights, customers who book through it have access to information about other travellers’ flights and know when they will be out of the country, Ryanair alleges.

Club customers, it claims, are told not to input their own email address but a specific address which belongs to Club. As a result, Club customers may access details of other passengers who booked flights the same way, Martin Hayden SC, for Ryanair, argued.

This gives access to information about when other people who booked the flight are abroad and when their homes are unoccupied, counsel said.

Ryanair said it was also concerned that, for the cost of changing a name on a flight, a person who has such access can change the name, address and passport details on another traveller’s flight and obtain that person’s boarding card, he said.

These were serious data protection issues which could expose Ryanair to penalties, he said.

Friday, February 24, 2012

A peculiar feature of Irish law for many outside observers is the fact that search warrants are treated as being an executive rather than judicial function (PDF, ch.4). As a result a number of statutes give police the power to themselves issue such warrants on a "self-service" basis. Yesterday's Supreme Court decision in Damache v. DPP, however, cuts back the scope of these powers somewhat.

In this case Damache was suspected of involvement in a conspiracy to murder Lars Vilks, one of a number of cartoonists said to have insulted Islam by drawing Mohummad. On foot of this suspicion, a senior garda issued a search warrant in relation to his home by under s. 29(1) of the Offences Against the State Act 1939 (as inserted by s. 5 of the Criminal Law Act 1976). That section is exceptionally wide and in essence allows a senior garda to issue a search warrant in any terrorist related case in respect of any location without any special circumstances having to be shown:

Where a member of the Garda Síochána not below the rank of superintendent is satisfied that there is reasonable ground for believing that evidence of or relating to the commission or intended commission of an offence under this Act or the Criminal Law Act, 1976, or an offence which is for the time being a scheduled offence for the purposes of Part V of this Act, or evidence relating to the commission or intended commission of treason, is to be found in any building or part of a building or in any vehicle, vessel, aircraft or hovercraft or in any other place whatsoever, he may issue to a member of the Garda Síochána not below the rank of sergeant a search warrant under this section in relation to such place.

Crucially, the garda in question had been centrally involved in the investigation and there were no circumstances of urgency or time pressure in the case. Was the legislation valid insofar as it allowed a warrant to be issued in these circumstances?

Initially, the High Court held that it was. In a disappointing decision which relied on the fallacy that "modern terrorism is different" Kearns P. held that a search warrant was merely a step in the investigative process which did not have to be issued by an independent authority and that in any event the section would be justified on the basis that:

the security demands of countering international terrorism are of a quite different order to those which apply in what might be described as routine criminal offences. Serious injury and harm can be unleashed at any point in the globe by terrorists who can avail of modern technology to devastating effect. That fact was amply borne out by the attack on the World Trade Centre on 11th September, 2001, and many other terrorist acts before and since. The international terrorism of the modern age is a sophisticated, computerised and fast moving process where crucial evidence may be lost in minutes or seconds in the absence of speedy and effective action by police authorities.

On appeal, however, the Supreme Court took an entirely different approach. Building on earlier Irish authorities and applying the ECtHR decision in Camenzind v. Switzerland and the Canadian Supreme Court decision in Hunter v. Southam Inc the court devloped the principle that search warrants should generally only be issued by an independent person:

For the process in obtaining a search warrant to be meaningful, it is necessary for the person authorising the search to be able to assess the conflicting interests of the State and the individual in an impartial manner. Thus, the person should be independent of the issue and act judicially.

Applying this, the court found that the section was invalid insofar as it allowed for search warrants to be granted in respect of any location by a garda involved in the investigation without there being any special circumstances justifying a departure from this rule:

54. This case is decided on its own circumstances. These circumstances include the fact that the warrant was issued by a member of a Garda Síochána investigating team which was investigating the matters. A member of An Garda Síochána who is part of an investigating team is not independent on matters related to the investigation. In the process of obtaining a search warrant, the person authorising the search is required to be able to assess the conflicting interests of the State and the individual person, such as the appellant. In this case the person authorising the warrant was not independent. In the circumstances of this case a person issuing the search warrant should be independent of the Garda Síochána, to provide effective independence.

55. The circumstances of the appellant’s case also includes the fact that the place for which the search warrant was issued, and which was searched, was the appellant’s dwelling house. The Constitution in Article 40.5 expressly provides that the dwelling is inviolable and shall not be forcibly entered, save in accordance with law, which means without stooping to methods which ignore the fundamental norms of the legal order postulated by the Constitution. Entry into a home is at the core of potential State interference with the inviolability of the dwelling.

56. These two circumstances are at the kernel of the Court’s decision.

57. No issue of urgency arose in this case, and the Court has not considered or addressed situations of urgency.

58. The Court points out that it is best practice to keep a record of the basis upon which a search warrant is granted.

59. This Court would grant a declaration that s. 29(1) of the Offences against the State Act, 1939 (as inserted by s. 5 of the Criminal Law Act, 1976) and referred to as s. 29(1) of the Act of 1939, is repugnant to the Constitution as it permitted a search of the appellant’s home contrary to the Constitution, on foot of a warrant which was not issued by an independent person.

Significantly, however, the court clearly flags a preference for search warrants to be issued judicially in future. Rather than simply requiring that a search warrant be issued by a garda who was not personally involved in the investigation, the court holds that "in the circumstances of this case a person issuing the search warrant should be independent of the Garda Síochána, to provide effective independence". This would seem to require that any power to issue search warrants in respect of the home should only be exercised by an outside authority (presumably a district court judge) except in cases of urgency.

At the very least this will force a reevaluation of garda practice in this area - and should also require reconsideration of the procedures in related areas such as GPS tracking or access to telephone and internet data where authorisations are granted internally within the Garda.

The standard of security expected of all employees of An Garda Síochána includes the following:
* access to the information restricted to authorised staff on a "need-to- know" basis in accordance with a defined policy,
* computer systems password protected,
* information on computer screens and manual files kept hidden from callers to offices,
* back-up procedures in operation for computer held data, including off-site back-up,
* all waste papers, printouts, etc. disposed of carefully by shredding,
* all employees must log off from PULSE and other computers on each occasion when they leave the workstation,
* personal security passwords must not be disclosed to any other employee of An Garda Síochána,
* all Garda premises to be secure when unoccupied,
* a designated person will be responsible for all the above within An Garda Síochána with periodic reviews of the measures and practices in place.

Every contact on PULSE leaves a trace and every employee should be acutely aware that all activity under their registered number and password on PULSE is recorded. During an Audit or Investigation procedure they may be asked to account for the reasons they accessed a particular individual's data at any given time and what they did with it afterwards. An Garda Síochána will ensure that appropriate data protection and confidentiality clauses are in place with any processors of personal information on its behalf...

6. AUDITS OF DATA PROTECTION PROCEDURES WITHIN AN GARDA SÍOCHÁNA

To ensure the quality of data retained by An Garda Síochána, and that access to and usage of such data is appropriate within the terms of this Code, each District Officer will, as part of his/her quarterly inspection and audits in line with the Garda Commissioner's policy, examine data under the headings of Quality Control; Data Accuracy; Access to Data; and Usage of Data.

In addition to this, the Garda Professional Standards Unit will conduct examinations and reviews of Data Protection procedures as part of their ongoing examination and review process.

Unfortunately, it seems that the 2007 Code of Practice has been neglected. In particular, there has been a failure to implement the agreed monitoring of the use of the PULSE system and in his 2010 Annual Report the Data Protection Commissioner stated that:

It is disappointing to report that, despite our repeated engagements on this issue, the monitoring of access by members of An Garda Síochána to Pulse falls short of the standards we expect. We wish to see significant progress by the Gardaí in pro-actively monitoring Pulse access in 2011 and will be carrying out an audit to satisfy ourselves of this progress.

Today's Irish Times brings the story up to date, and reveals that a Garda system to monitor access to PULSE has now been put in place (four years after it was first promised) while the Data Protection Commissioner's audit will proceed in the next three months. I look forward with interest to the results - particularly if the audit goes beyond PULSE to also examine the weak controls over Garda surveillance powers which have led to at least one serious case of abuse.

Monday, February 20, 2012

It is shocking but not surprising that not a single civil servant has been fired for an incredible bout of behaviour at the so-called Department of Social Protection.

It seems that almost 100 departmental employees accessed the personal files of the public and passed on highly sensitive information to insiders. They snooped on their friends, on colleagues and celebrities.

It is hardly of reassurance to know that this has not been going on for a few weeks but for more than seven years, and involved thousands of records being improperly interfered with. In short, it is a disgraceful breach of trust, which just shows the corrosion at the heart of our civil service, a once-pristine post-colonial inheritance.

And yet, not one member of staff has been sacked for their conduct. Not one. This is despite the offenders breaching both the Data Protection Act and the department's own internal rules. Instead, 87 staff members were 'sanctioned' for improperly accessing sensitive data...

And yet what is most amazing is how little outcry there has been about this, or comment from our otherwise vocal politicians, whose ambition is to actually be responsible for public servants. But then they are so immersed in the culture of the public service, and its indulgences and leniency, that they presumably don't see anything to get too alarmed about.

But you can be damn sure that if it was journalists doing this snooping, or bank officials leaking sensitive personal info, there would be an outcry and robust calls for enquiries and dismissals.

Against this background, it's significant that two prosecutions have recently been taken over data misuse. The first, reported in December, involved a staff member in Revenue who leaked information on a number of individuals to contacts including a private investigator. That case was somewhat outside the data protection mainstream - it was detected to a large extent by accident and dealt with primarily by Gardai rather than the Data Protection Commissioner - but still held out hope for the greater use of criminal sanctions in appropriate cases. That hope has now been realised by a second successful prosecution - this time of three large insurance companies found to be receiving information unlawfully accessed by private investigators from the Department of Social Protection. While the case against the companies is now concluded, a related investigation is continuing into the insider in the Department who was responsible for passing on the information.

What should we make of these cases? In one way the prosecutions still represent only small steps towards more effective enforcement. The penalties are still derisory - in each case the Probation Act was applied so that the defendants escaped conviction on the basis that they made charitable donations. The substantive offences are also lacking - in the Social Protection case the prosecution was based on processing of data other than in accordance with registration rather than any more serious offence. (Sections 19(2)(a) and 19(2)(b) of the 1988 Act.)

From a wider perspective, however, the prosecutions represent an important step forward. The Revenue case seems to have been the very first prosecution under sections 21 and 22 of the Data Protection Acts 1988 and 2003, and certainly the first such prosecution on indictment. Similarly the Social Protection case is important in its own right in that it came out of ongoing work by the Data Protection Commissioner - dating back to 2007 and including a 2008 Code of Practice - and represents the first time that the insurance industry has been effectively held to account for systematic wrongdoing. Combined with recent amendments which create specific offences of leaking Revenue information these cases may finally begin to dislodge the culture of snooping within much of the public sector.

Fortunately, I discovered during the week that the Labour Party has an explicit commitment as to what should be done in these circumstances. Here's an excerpt from their 2011 policy document "New Government, Better Government":

Attorney General’s Advice

50. In specific circumstances the Attorney General’s advice to government should be
published. If the advice of the Attorney General is publicly relied upon as justifying or
necessitating a particular course of action adopted by the Government or by a minister,
privilege should not preclude the publication of a summary of the arguments as they relate to:
* the development of a legislative proposal by the government, a minister of the
government or a minister of state, or by any other member of the Dáil or Seanad,
* the introduction of a Bill or resolution in either House of the Oireachtas or the passage,
defeat or amendment of a Bill or resolution in either House,* the making, revocation or amendment of a statutory instrument, or
* the development or amendment of a policy or programme of a public body, unless the
advice is given in the course of litigation or in relation to pending or contemplated
litigation.*
* Appropriate provision would be taken for the protection of commercially sensitive
information and information to do with private individuals, national security, the
detection and prosecution of crime, and so on.

I couldn't agree more, and look forward to this Labour policy being applied to the current statutory instrument.

---* A question might be raised as to whether publishing advice might prejudice the pending music industry litigation. It could be argued that advice about Ireland's obligations under the Infosoc Directive should not be released, though the Minister has already rather let the cat out of the bag by stating to the Dáil that the advice is that "the State is at risk of actions against it, which would probably result in substantial damages". However, even granting this point there is no reason not to publish the advice about the distinct issue of how to implement the Directive. For example, why was a SI considered appropriate and not primary legislation? How was the vague wording chosen? Why did the Minister reject the suggestions in the Technical Group's alternative draft SI? There is no possible prejudice in providing more clarity on these points.

Monday, February 06, 2012

We need to address the threat to humanity posed by the tsunami of unverifiable data, opinion, libel and vulgar abuse in new media. I know all the stuff about it being a tool of freedom and democracy, and I also know it has the capacity to destroy civil society and cause unimaginable suffering. Governments have a regulatory function in this regard, and they’re walking away from it because they’re afraid of appearing to be repressive.

Ironically today's speech by Alan Crosbie at a conference on media diversity is itself full of such unverifiable data and opinion. For a man who makes much of the credibility and reliability of newspapers, it is unfortunate that he repeats the long since debunked claim that:

Those English riots, for example, were a new media generated phenomenon, a product of information going from pillar to post without mediation without being edited, without a quality check.

Also worth noting is the cognitive dissonance between page 3 (complaining about political interference in RTE) and page 4 (seeking licence fee payments for newspapers also). Read the whole thing for an insight into the views of the man behind a substantial chunk of the Irish media industry.

Sunday, February 05, 2012

One of the strongest arguments against the proposed copyright statutory instrument is that it is so vague as to make it impossible to predict what it might require of internet intermediaries. The proposal is entirely silent in relation to the most basic issues where one might expect clarity. What type of injunction might be granted? Site blocking? Three strikes? Deep packet inspection? Hash value blocking? What types of intermediaries might be affected - ISPs, search engines, hosting providers, cloud computing providers? Who will have to pay the legal costs of applications for injunctions? Who will have to pay the ongoing cost of implementing any injunction?

Crucially, this vagueness is highlighted by comments of Charleton J., the very High Court judge whose ruling in EMI v. UPC has been relied upon by Sean Sherlock as justification for this statutory instrument. However, when examined closely neither his judgment in that case nor his later extrajudicial pronouncements support this claim. In particular, in a recent speech to the Fordham Intellectual Property Conference, he said:

Legislation such as the [UK Digital Economy] Act of 2010, has at least the predictability of express statement as to the objects to be achieved. In respect of each of the possible solutions of diversion, interruption, warning and cut-off, the British have OfCom looking at the appropriate technical machinery with which to achieve these ends. When this machinery is approved, then, in those circumstances, any court faced with these difficult cases will be in a position to fairly, if not precisely, predict what they can use as a technical solution with a view to granting or refusing to grant injunctions.

This strongly accords with the European law principle that the law should be predictable as to what is mandated and what is forbidden and enables a judge to also know what is expected in the judicial sphere in particular circumstances. As I said in another part of the judgment in EMI v. UPC, if any judge were merely to act on the basis of what the Court felt was right, without having a legislative basis, the Court would be putting itself back in the position of judges in the late 19th and 20th century who used the tort of conspiracy and the remedy of an injunction against the trade union movement and thereby caused public controversy, rendered uncertain the concept of the rule of law and undermined their own authority.

It may also be well for the judicial mind to observe that the separation of powers is a definite guiding principle against doing what might seem desirable, but which is not provided for in legislation.

"The law should be predictable as to what is mandated and what is forbidden and enables a judge to also know what is expected in the judicial sphere in particular circumstances". Can the DJEI honestly claim that their proposed statutory instrument meets these criteria?

Senior Counsel John Gordon has a clear explanation as to why Sean Sherlock's proposed copyright regulations are unnecessary in today's Sunday Business Post. I've taken the liberty of reproducing the entire piece here:

Simplistic Internet regulations court trouble

Amendments to copyright law for online infringements should be dealt with through primary legislation, writes John Gordon

There has been much debate in recent weeks about a draft statutory instrument (SI) that minister of state Sean Sherlock is about to bring into Irish law to deal with online copyright infringement. The SI is intended to fulfil Ireland's EU obligations by facilitating in­junctions against internet ser­vice providers (ISPs). This follows the decision of Justice Charleton in 2010 in the unsuc­cessful action taken by Irish recording companies, EMI, Sony, Universal, Warner and Wea against UPC, in which I appeared on behalf of the de­fendant.

These recording companies last month issued proceedings against the state on the basis that it is liable to pay compen­sation for its failure to provide them with a remedy to fight on­line copyright infringement. This raises the question of how the state has failed in its obliga­tions.

In Minister Sherlock's press release on January 26, accom­panying a draft of the proposed SI, it was stated that the obliga­tions contained in the relevant directive were clear.

Article 8(3) of the directive on the harmonisation of cer­tain aspects of copyright and related rights in the informa­tion society, (2001/29/EC), which is referred to in the draft SI, provides that member states shall ensure copyright owners are in a position to apply for in­junctions against intermedi­aries whose services are used by others to infringe copyright. The directive states that the conditions and modalities for such injunctions are at the dis­cretion of member states.

Having taken into account these provisions, the state did in fact legislate to provide a re­medy to rightsholders in re­spect of copyright infringements under the notify and takedown provisions of Section 40(4) of the Copyright and Related Rights Act 2000.
In addition, rightsholders have been granted Norwich Pharmacal Orders under the common law, which obliges an ISP to identify subscribers who are shown to have infringed copyright on the ISPs network so the rightsholders can pursue such infringers directly. Such relief has historically been ob­tained by the recording com­panies that are now suing the state.

However, they consider it too expensive and ineffective. So what is now being sought is not the right to a remedy but an additional remedy under Irish law. There is no clear and un­ambiguous obligation on the state to implement this SI.

In the UPC case the reliefs sought included the possible implementation by ISPs of fil­tering and blocking technology on their network, and of a graduated response system, whereby after three warnings a person's internet subscrip­tion is suspended or termi­nated and/or the blocking of subscriber access by ISPs to certain websites alleged to fa­cilitate copyright infringe­ment.

A recent decision of the Court of Justice of the EU (Case C-70/10 SABAM) has confirmed, since the UPC case, that it is unlawful under EU law for an ISP to be or­dered to implement blocking and filtering technology on its network to seek out copyright infringements.

In addition, Eircom's imple­mentation of the graduated re­sponse, or three strikes, system, which is the subject of specific legislation in certain member states, is currently being challenged by the Data Protection Commissioner be­fore the Irish Courts.

Given the progress of legis­lative and judicial thought in the EU, it is now even more clear that the type of remedy which rightsholders seem to expect as a result of the proposed SI will not be available to them.

As a result, the state cannot be liable to pay compensation for failing to provide these re­medies under Irish law.
The generality of the lan­guage in the proposed SI can only lead to confusion as to the precise remedies that can lawfully be obtained in the light of other express provisions of EU law. Such EU law is intended to cut down on the scope of the remedies available against ISPs.

Judges will have to approach any new legislation by refer­ence to EU law and jurispru­dence, which must take precedence over Irish domestic law where there is any incon­sistency between the two.

If this whole debate is a mat­ter of empowering the Irish courts to order the blocking of websites, as many commenta­tors have stated in recent weeks and months, then the legisla­tion should specifically address this and set out the relevant cri­teria in a manner consistent with EU law. The proposed SI introduces unwelcome uncer­tainty and will inevitably lead to further litigation.

Further, it is noteworthy that the Programme for Govern­ment stated that legislation in the area of online copyright infringement needed to be tackled — but went on to say that "the situation can no long­er be tolerated where Irish min­isters enact EU legislation by statutory instrument", where "the checks and balances of parliamentary democracy are bypassed". The proposed SI ignores this statement, in that it seeks, without the benefit of the normal legislative process, to amend the Copyright and Related Rights Act 2000, which itself was the subject of lengthy debate in both houses of the Oireachtas at the time.

Implementing this alar­mingly simplistic SI will unfor­tunately not solve the problem of striking a fair balance be­tween the interests of all in­volved, be they rightsholders, ISPs or internet users, but rather leave it to be teased out in the courts. Time should be taken to properly consider what changes need to be made to our copyright laws by means of primary legislation. In this context, assistance can be ob­tained from considering simi­lar debates currently taking place in many other jurisdic­tions including the United States of America.

John Gordon is a senior counsel

It's worth noting, although not explicitly stated, that the effect of this opinion is the proposed statutory instrument would be ultra vires the power of the Minister and therefore would be struck down if challenged before the High Court. To date the government talking points have been to the effect that it would be "prudent" to introduce the SI. John Gordon's analysis shows why this is flawed - unless the SI is required by EU law then the Minister has no power to introduce it.

Today's Sunday Independent reveals that a private investigator acting for Irish Rail illegally accessed staff bank accounts, while the company also monitored staff email and placed a GPS tracking device on the car of an individual working for a contractor:

A statement issued by the Data Protection Commissioner's office this weekend said Irish Rail "acknowledged" the "unacceptable level of surveillance" on employees: "It was apparent to the investigation that one senior manager at Irish Rail authorised the surveillance and accessing of bank accounts without the knowledge or approval of management."

The investigation found "that the private bank accounts of nine employees or former employees of Irish Rail were inappropriately accessed in 2007. The bank accounts were held in four different financial institutions".

Because of the passage of time, the investigation was unable to identify "precisely how or when" employee bank accounts had been accessed. "In one case, however, the investigation did find evidence of an unsuccessful attempt by an individual by means of a telephone call to obtain bank statement information in respect of one of the bank accounts concerned," the statement said.

"The investigation was satisfied that this attempt to inappropriately access bank account information was made by an individual phoning from outside of the State."

The statement continued: "It also emerged that the individual who played the key role in accessing information from the bank accounts was operating from outside of this jurisdiction and that he is since deceased."

The investigation was also told how a GPS tracking device was fitted on the car of an employee of a contractor of Irish Rail, and the emails of 35 employees were monitored.

The investigation into the data protection breach at Irish Rail remains "open".

Wednesday, February 01, 2012

I have an opinion piece in today's Irish Times arguing against current government proposals which would allow internet blocking and more. Here's an excerpt:

As currently drafted, the statutory instrument provides that the High Court may grant an injunction against an internet intermediary who is entirely innocent of any wrongdoing – but does not specify even the most basic details regarding how this power might be exercised.

What type of injunction might be granted? On what criteria? Against what types of intermediary – internet service providers, discussion forums, search engines, social networking sites, video hosting sites? Who will bear the costs of these injunctions? Who will be responsible if, as often happens, an unrelated website is wrongfully blocked?

This lack of detail makes it impossible to predict how this law might be applied, and means that clarification will come only after repeated and expensive trips to the High Court.

The Internet Service Providers Association of Ireland (whose members include Google) has opposed the legislation, noting the proposal creates “business uncertainty for those running or considering establishing internet services from Ireland” in a way which may have “drastic consequences” for them: in short, it will act as a deterrent to the next generation of Irish internet businesses which may relocate to warmer legal climes. Significantly, the Department of Enterprise has not produced a Regulatory Impact Assessment of the measure.